Seth D. Galitzer

Systems Administrator

Department of Computing and Information Sciences

Kansas State University

finger.vbs - I wanted a tool like *nix finger that would query a Windows AD directly (from a Windows client), so I came up with this. It returns the stuff you'd usually see from finger, but also the UID/GID, the last login [1], and whether or not the account is locked. Of course, it's customized for my setup, but it should be apparent how you can change it for your own needs. Got suggestions for improvements? Drop me a line.

rt.diff - patch for the RT CLI utility which fixes a bug related to adding and deleting values from multi-value fields

It turns out that AD has two fields to keep track of the last time an account was logged in. The lastLogon attribute was used by Windows Server 2000 AD, and is not replicated. The lastLogonTimestamp was added with Windows Server 2003 AD and is replicated, but not frequently. By default, lastLogonTimestamp is replicated every 9-14 days. Thus it not a good way to get up-to-the-minute status on a user's actual last login time. It's a tunable value, but only down to a minimum of 5 days. If you want more granular data, you'll have to roll your own. (See here for more details.) For the purposes of this script, I just wanted a general idea (ie, see if they've logged in in the last 6 months) and not a specific timestamp, so this is good enough for me.